The report contains what appears to be significant changes. The report includes mention of the FakeAv scams that have plaqued users over the past couple of years. Another friend just brought in a laptop screaming “Your system is infected!” yesterday, most likely due to a banner ad drive-by. At this point, it’s hard to believe that the fraud is not occuring on a large enough scale to quantify the criminal activity.

The report provides list of the most common complaints that the IC3 received in 2009, including spam, identity theft, credit card fraud, and computer damage, all things that an additional layer of protection like ThreatFire effectively helps protect your system against.

Complaints of internet crime, including spam and fraud, should be filed here, in addition to making other appropriate contacts. They can’t report on what is not filed.

The bogus software follows the trends that we presented at Virus Bulletin 2008 two years ago, where we noted the rising FakeAv families and technical details of “Recent Rogueware”, similarities with previous other malware families, and their delivery.

There are a lot of technical details to understand about click fraud, and even more that go into evading click fraud sensors. A previous post details how one group camouflages their bot generated queries from fraud monitoring systems by stealing search terms from live humans on infected systems and then re-uses them.

This post will set out to describe another set of click fraud components and activity used by a financially motivated group distributing Zbot and FakeAv in addition to the click fraud components. The group expends considerable effort to distribute their crimeware packages and consistently use blackhat Seo tactics and crack sites. They implement polymorphic malware executables to evade AV scanners on victims’ desktops and anti-reversing and encryption technology to foil analysis. Their click fraud, most likely generating lower revenues than their Zbot and FakeAv activity, probably is more stable and helps keep their money mules, web operators and developers paid, and potentially keeps potential domain squatting sites paid for. They appear to act as a well run money making organization. We also know that the click fraud components are delivered alongside “Alureon/TDSS/Tidserv” drivers, so they are not the only ones spreading the stuff.

A couple of ad-network affiliate related terms and concepts to understand: CPM (cost-per-impression) and CPC (cost-per-click). They are what drive advertising and payouts for ads on the web pages you view. For example, when you browse an online radio web site and it displays an ad for online movie rentals, it’s most likely not because the radio station has a contract with the online movie rental store to display its ads. Instead, they make a deal with an “online media company” with an affiliate program to display whatever ads they provide to them to display. When 1,000 users see the ads on the radio site’s web pages, the ad network pays out a small sum of cash to the operator of the website. The more impressions or views, the higher the payout. Technical details relevant to click fraud of syndiation, sub-syndication and referral deals in Neil Daswani, et al Clickbot.A paper here.

Knowing this simple setup leads to payouts, these cheats looking for easy cash attempt to set up phony web sites hosting ad banners, then infect large numbers of systems with click fraud components (alongside the Zbot spyware and FakeAv), and visit various pages and ads from these infected systems repeatedly. In our lab, these click bots hit banner ads at random rates. Sometimes, they would hit four per minute, wait a couple of hours, and then move on to other sites, where odd videos and pictures are haphazardly posted alongside ad banners. Usually, they would start at a site hosting a slew of bizarre videos, like this one.

The advertised images included ads from tire and tune shops, some restaurants, RV and trailer exchange sites, ringtone sellers, an ad council, singles sites, and many more. Let’s take a look at the components and the network traffic. The main executable performing the click fraud activity most often goes by the file name “msa.exe”, although the file name for the malware is fairly arbitrary over time, and weigh in at approx 100-200 kb. As mentioned above, distributors get the executable onto target systems via blackhat Seo tactics, P2P sharing and crack sites.

Once running, the msa.exe code connects back to one of several sites that have changed over the past several months to exchange initial request information. For example, the malware POSTs data collected from the system to a hard-coded web server address; in January and February, several of the servers’ online locations were fgage. com, tooldawn. com, bestalias. com, iepil. com, and theastic. com. The physical location of the servers themselves seems to move, sometimes in Canada or the US, between major hosting sites. The encoded response to the msa.exe POST is received by msa.exe and copied to a .dat file. This response is decoded by the bot and the Urls to “click” are extracted. It is this list that the bot uses to fetch commands, sites and ads, knowing what Urls are “clickable” and what are available for impressions only, how long to pause between clicks, etc. The data is neatly xml formatted:

<root>…..<pause>15</pause>..<clickable>250</clickable>..<visible>100</visible>..<searchlimit>3600</searchlimit>..<time>126593</time>…
<tag type=”iframe” weight=”26″ search=”100″ clicks=”1″ id=”3008″ clickable=”252″>…<feed><![CDATA[http://ad.r----m
edia.com/st?ad_type=iframe&ad_size=468x60&section=773245]]></feed>…<ref><![CDATA[http://ad.r----media.com]]></ref>..</tag>…<tag type=”iframe” weight=”23″ search=”100″ clicks=”1″ id=”3007″ clickable=”328″>…<feed><![CDATA[http://ad.r----media.com/st?ad_type=iframe&ad_size=300x250&section=773245]]></feed>…<ref><![CDATA[http://ad.r----media.com]]></ref>..</tag>…<tag type=”iframe” weight=”26″ search=”100″ clicks=”1″ id=”3005″ clickable=”280″>…<feed><![CDATA[http://ad.r----media.com/st?ad_type=iframe&ad_size=120x600&section=773245]]></feed>…<ref><![CDATA[http://ad.r----media.com]]></ref>..</tag>…<tag type=”iframe” weight=”21″ search=”100″ clicks=”1″ id=”3006″ clickable=”227″>…<feed><
![CDATA[http://ad.r----media.com/st?ad_type=iframe&ad_size=160x600&section=773245]]></feed>…<ref><![CDATA[http://ad.r----media.com]]></ref>..</tag>…<tag type=”iframe” weight=”25″ search=”30″ clicks=”1″ id=”3045″ clickable=”471″>

After extracting the urls to click, it then hits the web sites described earlier pasted over with oddball videos and images, hosting banner ads. An example from the many over the past few months is tu—aster. com:

After retrieving images and ads from this second site, request sequences often look like this one, which we’ve altered both for brevity’s sake and for privacy concerns, but allowed enough data to be recognized by fellow researchers:

hxxp://ad1.ad–vo. com/st?ad_type=iframe&ad_size=728×90&section=758786
     hxxp://ad2.ad–vo. com/st?ad_size=728×90&ad_type=iframe&fil=gw&section=758786
     hxxp://ad2.ad–vo. com/imp?Z=728×90&fil=gw&s=758786&_salt=3275045331&B=10&u=&r=1
     hxxp://ad.yie—-nager. com/imp?Z=728×90&fil=gw&s=758786&_salt=3275045331&B=10&u=&r=1
     hxxp://ad1.ad–vo. com/iframe3?ABEu.0juvrDBw5kMNESk6cFFFkoK0KOz59B3iLAAAAAAA==,,http://ad2.ad–vo.com/st?ad_size=728×90&ad_type=iframe&fil=gw&section=758786
     hxxp://ad2.ad–vo. com/iframe3?ABEu.0juvrDBw5kMNESk6cFFFkoK0KOz59B3iLAAAAAAA==,,http://ad2.as–vo.com/st?ad_size=728×90&ad_type=iframe&fil=gw&section=758786
     hxxp://ad.yie—-nager. com/iframe3?juvrDBw5kMNESk6cFFFkoK0KOz59B3iLAAAAAAA==,,http://ad2.ad–vo.com/st?ad_size=728×90&ad_type=iframe&fil=gw&section=758786
     hxxp://adserver.ad–chus. com/addyn/3.0/5224/951864/0/225/ADTECH;loc=100;target=_blank;key=key1+key2+key3+key4;grp=[group];misc=1266357818864
     hxxp://adserver.ad–chus. com/addyn/3.0/5224/951864/0/225/ADTECH;cfp=1;rndc=126635781;loc=100;target=_blank;key=key1+key2+key3+key4;grp=[group];misc=1266357818864
     hxxp://pagead2.g—-esyndication. com/pagead/show_ads.js
     hxxp://g—-eads.g.—–eclick. net/pagead/test_domain.js
     hxxp://pagead2.g—-esyndication. com/pagead/render_ads.js
     hxxp://g—-eads.g.—–eclick. net/pagead/ads?client=ca-pub-8175825562880389&output=html&h=90&slotname=8878168224&w=728&ea=0&flash=6.0.79.0&url=http%3A%2F%2Fad2.ad–vo.com%2Fst%3Fad_size%3D728×90%26ad_type%3Diframe%26–ler.com%2Fiframe3%0juvrDBw5kMNESk6cFF%3D%3D%2C%2Chttp%3A%2F%2Fad2.ad–vo.com%2Fst%3Fad_size%3D728×90%26ad_type%3Diframe%26fil%3Dgw%26section%3D758786&fu=0&ifi=1&dtd=218
     hxxp://g—-eads.g.—–eclick. net/pagead/imgad?id=CMSty_OwpaPOXxDYBRhPMggZu9r8MIRZeQ 

Also hit are any one of long lists of domains that at the time of writing are “parked”, or “squatted” domains:

 hxxp://collect—-ofcoloniesofbees. com/
hxxp://tra—-splay. com/movies.php
hxxp://aliv—-son. com/
hxxp://allcandlem—-g. com/
hxxp://ano—-look. net/
hxxp://—-l. com/
hxxp://—-l. net/
hxxp://apartm—-areus. com/
hxxp://apart—-toshare. com/
hxxp://abso—-look. com/
hxxp://a—-ake. com/
hxxp://ariz—-ades. com/
hxxp://a—-. com/
hxxp://ar—-. com/
hxxp://a—-. com/
hxxp://a—-look. org/

ThreatFire effectively protects against the deliver vector in the first place. It first targets the evasive downloader, poorly detected by AV engines, so Zbot, FakeAv, and these click fraud components never reach the system and the clickbot never runs.

Fake scan results are presented immediately…

As we have been presenting for the past several years, the user is tipped off that something is amiss when their software claims it is “unregistred”, see the window’s title bar.

Following the “Attention: DANGER!” message, the Windows user may attempt to open Internet Explorer. The FakeAv has modified the browser and instead pops up a window, claiming the system is infected with Trojan-BNK.Win32.Keylogger.gen, recommending activation of XP Internet Security 2010…

When the user attempts to activate the phony product, a purchase window for “Windows Defender 2010″ appears…

Running down the side of the page, they make fraudulent claims to have won awards from West Coast Labs and Virus Bulletin:

Entering personal information into the form POSTS the information to “live-windowsantivirus. com” (the domain is registered in Turkey, while the site is hosted in the US at 206.217.211 .243). We recommend you avoid entering any personal information and clean up the infection instead:

ThreatFire prevents it from running on users’ systems as “Trojan.FakeAv”.

Victims of this scam will have a hard time ignoring the screaming new message on their desktop, “YOUR SYSTEM IS INFECTED”. The familiar red X appears in the system tray in the lower right corner of the screen, and multiple phony scan images subsequently pop up.

Next up is a phony but thorough listing of all the detected malware that doesn’t really exist on the user’s system, described with a “Critical vulnerabilities found!” header and a mishmash of security industry buzzwords thrown together in a non-sensical phrase “Proactive system found several active vulnerabilities on your computer”…

And, after shocking the user with this series of blatently false warnings, coming up is the money maker, a suggestion that the user get a license or pay for Internet Security 2010:

If the user ignores the above warnings and tries to continue their work, they instead are assailed with scare-tactic messaging from the bottom right corner of the screen…”Click here to protect your computer from spyware!”…

And “System Warning! Continue working in unprotected mode is very dangerous”, another phony taunt…

Good thing that ThreatFire can keep this stuff off of your system in the first place, and Spyware Doctor+AV is known to effectively clean up previously infected systems.

Across the U.S. the ThreatFire community saw huge numbers of FakeAv variants disappointingly being run on systems, the Vundo ad-popping trojan appearing all over desktops, and Koobface worming its way across social networks. In India, the Sality virus/downloader and varieties of bots attempted to infect systems — when ThreatFire’s community’s statistics are extrapolated out to the 40 million likely computers in that country, we can estimate that  millions of Indian systems were attacked by this virus. In China, we saw gaming password stealing worms continue to spread out across the country, most likely distributed through usb sticks and other removable drives. Hot topics consistently led to blackhat SEO and phony codecs. Socially engineered bulk email schemes delivered attachments that dropped password stealing Zbot and Bredolab downloaders, users were easily convinced that they received invoices from delivery services or social networks were updating their systems. The Conficker hype grew exponentially and is all too slowly whimpering away, while the Waledac threat mutated and began to dry up altogether.

Our PC Tools ThreatFire team finished the year with a bang. The award winning PC Tools’ Internet Security Suite and its ThreatFire Behavioral Intelligence component topped all other suites as champion in the lengthiest, most comprehensive, real-world dynamic-testing malware blocking competition to date. It’s exciting to see AMTSO dynamic testing best practices being adopted and used to better drive testing and scenarios that best evaluate malware attacks that most computer users really can encounter on a daily basis. Nice testing effort and results indeed.

As 2010 arrives, we hope that existing and new ThreatFire/Behavior Guard users around the world look forward to fewer of these threats being realized on their own systems and another year of confidence in their information driven world.

If reviewer predictions are realized, the platform will overtake Windows XP as the Windows OS of choice in high volume. Which provides a whole new platform of interest and attention from money making malware writers. It is inevitable that they will shift their attention to the newest defenses implemented in the most widely deployed platform.

The most common single piece of malware run on Windows 7 Rtm systems, as observed in the ThreatFire Community to-date, has been Protection System FakeAv variants and its droppers. The dropper is usually a part of a crack or keygen distributed at crack sites and over P2P. It drops out multiple other unwanted components, including the FakeAv. It is a common thing to have seen in the past on other platforms. What is different here, is that User Account Control, a feature introduced in Windows Vista, has been reviewed and modified, newly delivered with 7.

At runtime, the Windows 7 related scareware files are dropped to disk and the dropper creates some porn-related shortcuts on the desktop. The offending dropper makes registry key creations to ensure persistence across reboots without a peep from UAC in its default settings, even when logged in as a Standard User. Another executable responsible for many of the popups is copied to the profile directory. A phony scan is kicked off (thousands of pieces of malware were stored on the system and all were not detected), and two hard coded detections are displayed. And no, there isn’t a legitimate vendor that maintains malware family names as variants of “GayCodec”:

Multiple pop-ups appear for phony malware detections and payment/activation. All without a peep from Windows 7 UAC. At reboot, the malware persists, restarts, and performs its worthless rescan again, this time spoofing messages from the Windows firewall with a randomized list of malware that are not running on the system:

It’s reported to attempt uninstall on other security products, which was not observed on lab machines.

All in all, the release seems to be a hit. As volume picks up, most likely so will Windows 7-targeting malware. Users should be aware of scams like this one and always purchase software from legitimate vendors. And install a behavioral layer of protection over and above UAC on your system like ThreatFire, which runs well on Windows 7 and keeps your system protected.

The installer drops cs.exe to c:\program files\cs\cs.exe on your system and runs it, which prompts the user with nagging popups. If you are seeing “Cyber Protection Center reports that ‘Cyber Security’ is inactive” on your system, do not activate it:

Standard set of phony detections to scare the victim into paying for the software:

“Cyber Protection Center” gui has become the “usual” Microsoft security center spoof:

The naming has changed a bit. The typical download Url will look like a variant on this scheme:
91.212.107. 5/download/Soft_40s5.exe
91.212.107. 5/download/Soft_257.exe (starting 10/13)
91.212.107. 5/download/scanner-323_2007.exe
91.212.107. 5/download/scanner-323_2007.exe (starting 9/8)
91.212.107. 5/download/antivirus-8D5D21_2015-5.exe
91.212.107. 5/download/antivirus-32CED34_2007.exe (starting 8/12)

This month’s moves include ip and domain changes:
91.212.107.5
best-antispyware-09 .com
best-antispyware-11 .com
computer-protection-7 .com
computer-protection-9 .com
quick-antimalware-2 .com
top-antispyware-scan9 .com
topantimalwarescan5 .com
wwwantispyware-01 .com
your-pc-protection0 .com
your-pc-protection2 .com
yourantispyware-2 .com
yourspywarescan1 .com
yourspywarescan6 .com
yourspywarescan8 .com

83.133.119.154
yourspywarescan0 .com
computer-protection-7 .com
computer-protection-9 .com
ftp.dot5productions .com
your-pc-protection0 .com
your-pc-protection2 .com
yourspywarescan0 .com
yourspywarescan1 .com
yourspywarescan6 .com
yourspywarescan8 .com

85.12.24.12
computer-protection-7 .com
computer-protection-9 .com
your-pc-protection0 .com
yourspywarescan0 .com
yourspywarescan1 .com
yourspywarescan6 .com
yourspywarescan8 .com

Do not activate the product:

What will the group have in store in November? We’ll wait and see. In the meantime, PC Tools ThreatFire users and the recently award winning Spyware Doctor with AntiVirus 2010 (with Behaviorguard) are well protected from this round of scareware.

The ThreatFire community has seen this stuff effectively prevented on desktops using a variety of names since the servers have been delivering the FakeAv, also known as Downloader.MisleadApp, Trojan.Fakeavalert, XPAntivirus and Trojan:Win32/FakeXPA. Here are just a few of the resource variations that ThreatFire has identified over the past few months:

88.198.107.25 /DOWNLOAD/ANTIVIRUS-5920E_2007.EXE
88.198.107.25 /DOWNLOAD/ANTIVIRUS-E92EFB7_2024-2.EXE
88.198.107.25 /DOWNLOAD/ANTIVIRUS-8023A_2024-2.EXE

94.102.51.26 /DOWNLOAD/INSTALL-C8D161_2006-31.EXE
94.102.51.26 /DOWNLOAD/SETUP-A3B7FBB_2024-3.EXE
94.102.51.26 /DOWNLOAD/SETUP-3985EC_2009-2152.EXE

91.212.107.5 /DOWNLOAD/ANTIVIRUS-9F83_2024-5.EXE
91.212.107.5 /DOWNLOAD/INSTALL-9EC30A_2006-71.EXE
91.212.107.5 /DOWNLOAD/INSTALL-C22753_2004.EXE

These servers are hosted in Germany, the Netherlands, and Cyprus, but their victims are located throughout the world. In this case, potentially where-ever NY Times readers may be located. Be sure to add a behavioral based security solution to your system. The banner ads seem to have been acted on quickly, as there has been no additional reports and there have been no further identifiable malicious banners.

88.198.81. 153/download/antivirus-9446_2001-2.exe
advancedvirscanner3 .com
antivirus-scannerv17 .com
best-security-scanv8 .com
bestantivirusscanv8 .com
professionalspywarescanv8 .com
professionalvirusscanv3 .com
reliable-scanner06 .com
superb-virus-scan03 .com

83.133.126. 201/download/antivirus-DEA18_2033-7.exe
advancedvirscanner3 .com
antivirus-scannerv17 .com
antivirusquickscan2 .com
bestantispywarescanv4 .com
bestantivirusscanv8 .com
intellectual-vir-scan01 .com
intellectual-vir-scan03 .com
intellectual-vir-scan05 .com
professionalspywarescanv8 .com
professionalvirusscanv3 .com
protectedsecurityaudit .cn
reliable-scanner06 .com
reliable-scanner09 .com
superb-virus-scan03 .com

78.46.251 .43/download/antivirus-9DC048_2009-2053.exe
antimalwarescanner8 .com
antispyware-scanner2 .com
antispyware-scanner5 .com
antivirus-scanner6 .com
antivirusonlinescan6 .com
best-antivirus3 .com
best-antivirus8 .com
best-antivirus9 .com
live-virus-scanner5 .com
live-virus-scanner9 .com

91.212.107 .5/download/antivirus-8D5D21_2015-5.exe
advancedpcscanner3 .com
bestpersonalprotectionv7 .com
computer-antivirus-scanv9 .com
fastvirusscanv6 .com
govirusscanner .com
intellectual-vir-scan08 .com
intellectual-vir-scan09 .com
onlineantispywarescanv6 .com
onlinebestscannerv3 .com
onlinepersonalscanner .com
onlineproantivirusscan .com
onlineproantivirusscanner .com
personalfolderscanv2 .com
private-antivirus-scannerv2 .com
reliable-scanner01 .com
reliable-scanner05 .com
secure-antispyware-scanv3 .com
securityfolderprotection .com
spyware-scannerv2 .com
spywarescannerv4 .com

88.198.107 .25/download/antivirus-7C545A_2011-7.exe
antimalwarescanner8 .com
antispyware-scanner2 .com
antispyware-scanner5 .com
antivirus-scanner6 .com
antivirusonlinescan6 .com
best-antivirus3 .com
best-antivirus8 .com
best-antivirus9 .com
live-virus-scanner5 .com
live-virus-scanner9 .com
online-best-scanv3 .com
premium-antispy-scanv3 .com
premium-antispy-scanv7 .com
safeonlinescannerv4 .com
safeonlinescanv4 .com
secure-spyware-scannerv3 .com

78.46.201 .89/download/antivirus_19.exe
antivir-scan-my-pc .com
antivir-scan-online .com
antivirscanmycomputer .com
awardantivirusscan .com
best-virus-scanner4 .com
best-virus-scanner6 .com
bestvanillaresorts .cn
bewareofvirusattacks3 .com
clean-all-spyware03 .com
clean-all-spyware07 .com
hqvirusscanner5 .com
hqvirusscanner7 .com
hqvirusscanner8 .com
megaspywarescan2 .com
thebestviruscheck .com
totalspywarescan3 .com
totalspywarescan5 .com
tryantivirusscan .com
valueantivirusshop1 .com
warningmalwarealert .com
warningmalwarealert2 .com
warningvirusalert .com
worldbestonlinescanner .com
yourholidaytoday .cn

209.44.126 .52/download/antivirus-71B_2033-8.exe
advancedvirscanner3 .com
antimalwareonlinescanv4 .com
antivirus-scannerv17 .com
antivirusquickscan2 .com
best-security-scanv8 .com
bestantispywarescanv4 .com
bestantivirusscanv8 .com
professionalspywarescanv8 .com
professionalvirusscanv3 .com
virusonlinescanv3 .com

94.102.51 .26/download/antivirus-C8D1_2009-1506.exe
advancedpcscanner3 .com
bestpersonalprotectionv7 .com
computer-antivirus-scanv9 .com
fastvirusscanv6 .com
govirusscanner .com
intellectual-vir-scan08 .com
intellectual-vir-scan09 .com
onlinebestscannerv3 .com
onlinepersonalscanner .com
onlineproantivirusscan .com
onlineproantivirusscanner .com
reliable-scanner01 .com
reliable-scanner05 .com
secure-antispyware-scanv3 .com
securityfolderprotection .com
spyware-scannerv2 .com
spywarescannerv4 .com

193.169.12 .70/download/antivirus_70.exe
91.212.127 .200/download/antivirus-AD4D76_2006-69.exe
78.46.251 .43/download/antivirus-913_2004.exe
78.46.201 .89/download/antivirus_156.exe
209.44.126 .52/download/antivirus-9853D_2033-7.exe
78.46.251 .43/download/antivirus-75FF09D_2007.exe
88.198.107 .25/download/antivirus-A4238A0_2009-1.exe
209.44.126 .52/download/antivirus-815_2033-7.exe
94.102.51 .26/download/antivirus-5C76A_2006-69.exe
91.212.107 .5/download/antivirus-CE41_2007.exe
88.198.120 .177/download/antivirus-4A8D4_2030-4.exe
78.46.251 .43/download/antivirus-815_2015-5.exe
88.198.81 .153/download/antivirus-9DC048_2002-8.exe
83.133.126 .201/download/antivirus-9AB1B_2024-7.exe
94.102.51 .26/download/antivirus-E3DAD_2006-69.exe
78.46.201 .89/download/antivirus_88S1.exe